Attackers Target ProxyLogon Exploit to Install Cryptojacker

Threat actors targeted compromised Exchange servers to host malicious Monero cryptominer in an “unusual attack,” Sophos researchers discovered.

Cryptojacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.

Researchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain—which suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to webshells—to host Monero cryptomining malware, according to a report posted online this week by SophosLabs.

“An unknown attacker has been attempting to leverage what’s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,” Sophos principal researcher  wrote in the report.

Attackers Target ProxyLogon Exploit to Install Cryptojacker | Threatpost